Beginning at 7:30 this morning, the UAB Spam Data Mine began receiving emails claiming to have news about the Gaza conflict from CNN News.
(A typical email)
Each of the many emails we've received points to a website that looks like this:
(click for larger image)
All of the links on the website are functional, and all really resolve to the real CNN website, with two exceptions. Attempting to play the video will result in the download of malware, and following the Adobe Player button will also result in the download of malware.
During the summer of 2008, one of the most successful spam campaigns of the year also imitated a CNN news story, leading to many home and business computers being infected by a virus.
At this time, many major anti-virus products still do not detect this malware as a virus. According to this Virus Total report only 11 of 38 anti-virus products will trigger on this file as containing a virus. (Follow the link to see if your product does or does not.)
The spam messages refer visitors to one of five different domains, each of which was registered at BizCN.com, a Chinese domain registrar who has been abused by this particular group for many months. Analysis of the malware confirms that this incident has nothing at all to do with the CyberWar being waged by pro- and anti-Israeli hackers. This is instead pure social engineering.
Just as with the many "online banking videos", the "digital certificate malware", the "Fake Bank Merger malware, yesterday's "Classmates.com reunion video", and the fake "Obama acceptance speech, this is a piece of malware which is designed to steal your passwords and send the stolen information to the criminal's server in the Ukraine, which is currently 91.211.65.30.
UAB Student and Malware Analyst, Brian Tanner, examined the Adobe_Player10.exe malware and identified that it causes your computer to download a second piece of malware from http://powerpekin.com/servicepack1.exe. That malware, which has the MD5 of 1f337515a3e96fd317dfb24e9fe67448, was only detected by 2 of 38 products at Virus Total. He then unpacked the servicepack1.exe malware and examined it to determine the stolen data was being sent to 91.211.65.30.
The domains used by this spam include:
downloadplayersnews.com
installflashadobeplaye10.com
newsinstalls.com
startinstalladobe.com
As with yesterday's ClassMates.com incident, the websites are being hosted via Fast Flux hosting, and the same fast flux hosts are being used for phishing as well, currently against MBNA bank and Sparkasse of Germany.
The false registration information provided on the domains claims that an imaginary employee of the BBC (Monnie Moulhem) residing in Spring Hill Florida registered the domains.
The computer which is being used as the "Nameserver" for these malware distribution domains resides at 74.63.217.81 -- which is the same computer which served as the nameserver for yesterday's Classmates.com malware.
While we know that many other subject lines will be used as the campaign progresses, some that we have seen so far include the subject lines:
Gaza emergency - UNICEF
Gaza Groups Report on War
Gaza: Israeli War Crimes?
In what became known as Israel's War of Independence
Israel Assaults Hamas in Gaza
Israel At 'War to the Bitter End,' Strikes Key Hamas...
Israel launches deadly Gaza attacks
Israel Puts War Footage
Israel warns Gaza of impending invasion - Israel-Palestinians ...
Israel: Preparing for War
Israel-Gaza conflict: Tens of thousands in London protest Gaza ...
IsraelGaza Strip barrier
Israeli war strategy.IDF in urban combat.
Israel's War Crimes
Israels War on Hamas:A Dozen Thoughts
News from Israel,Ynetnews - Israel at War
Now Israel declares 'war to the bitter end' - Middle East, World ...
Religious war in Gaza - Israel Opinion, Ynetnews
The 20072008 Israel-Gaza conflict refers to a series of battles between Palestinian militants
Thursday, January 08, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.